Delaware’s insurance department says social security numbers and other personal data of more than 2,900,000 people may have been comprised over nearly a decade due to a breach at a large vision and dental insurer.

The Delaware News Journal reports someone may have obtained bank account and routing numbers, social security numbers and insurance and tax information from the insurer Dominion National. The company says the information may have been compromised when a server was accessed by an “unauthorized third party” in 2010. Dominion National says there’s “no evidence that any information was in fact accessed.”

The Department of Health and Human Services breach reporting tool listed 2.96 million patients have been notified their data was potentially breached during the hack. Officials received an internal alert about unauthorized access and launched an investigation. They discovered an unauthorized party accessed some of Dominion National’s computer servers, beginning as early as August 25, 2010 – nearly nine years before the investigation concluded on April 24, 2019.

The notice did not explain what spurred the internal alert, nor when they first discovered the hack. However, the notice was sent about 60 days after the investigation concluded. It’s important to note that under HIPAA, covered entities are required to report breaches within 60 days of discovery.

Upon discovery, officials said they took steps to quickly clean the impacted servers and launched a review. Dominion National determined the hackers were potentially able to access enrollment and demographic data of current and former members of the insurer’s vision plan, and data of individuals of dental and vision benefits. The servers also contained the data of plan producers and health providers.

The compromised data varied by individual, which could include names, Social Security numbers, taxpayer identification numbers, bank account and routing numbers, member ID numbers, group numbers, subscriber numbers, addresses, and email addresses.

According to officials, the insurer has since enhanced its monitoring and alerting software. Dominion National also reported the security incident to the FBI. All patients will receive two years of credit and fraud protection services.

“We recognize the frustration and concern that this news may cause, and rest assured we are doing everything we can to protect your information moving forward,” Dominion National President Mike Davis, said in a statement. “We are committed to making sure you get the tools and assistance you need to help protect your information.”

The healthcare sector continues to be plagued with server-related breaches. A recent Clearwater report found that the majority of breaches in 2018 were in some way caused by a server, with about 63 percent of all critical and high risks caused by an inadequately addressed security flaw in servers.

To better detect unauthorized access, Clearwater researchers recommended organizations use security controls to automatically disable or remove dormant accounts, or frequently review user permissions. Larger organizations, such as insurers, can utilize a log analyzer to automatically aggregate and analyze activity logs.

“A program with this functionality can more likely readily identify potential malicious activity caused by multiple system weaknesses,” the researchers wrote, at the time. “The frequency of such reviews will be dictated by the number of system users and the frequency of user turnover. However, for those systems with 100 or more users, user permission reviews conducted at least quarterly are recommended.”